Loading...

XML

Word

Printable

Details

Type: Suggestion
Resolution: Fixed
Component/s: Integration - Webhooks
Labels:
- migrated

Feedback Policy:

Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

Description

There is currently no way of authenticating webhooks. While IP whitelisting could work, it is fragile and cumbersome to maintain a list of allowed IP addresses (even if said list is available through an API).

A simple & proven way of authenticating any kind of payload is to join an HMAC signature with the payload.

All is required is a shared secret between Bitbucket and the webhook receiver. We should be able to provide said secret on the webhook configuration page (and the API). Then, Bitbucket sends the webhook with the computed HMAC (in a header or within the payload) so that the receiver can check it.

Please note that this feature is already implemented by Github.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List

1451779052285screensave.png
35 kB
08/Sep/2019 11:38 PM

Issue Links

is related to

BCLOUD-20867 Support webhook alternate or proxy for on-prem CI/CD

Closed

BCLOUD-16271 Ability to add secret fields to webhooks

Closed

BCLOUD-14683 Add webhook secret

Closed

ENT-1420 Loading...

mentioned in: Page Loading...; Page Loading...; Page Loading...

(2 mentioned in)

Activity

People

Assignee:: Edmund Munday

Reporter:: Zopieux

Votes:: 103 Vote for this issue

Watchers:: 51 Start watching this issue

Dates

Created:: 02/Jan/2016 11:58 PM

Updated:: 25/Oct/2023 3:15 AM

Resolved:: 25/Oct/2023 3:15 AM